The Insecurity Olympics: How 3 Companies Dropped the Baton

Below:

Next story in Security

In the spirit of the recent 2012 Summer Olympic Games in London,
one provider of identity theft protection has decided to award
gold, silver and bronze medals to companies and government
institutions for their poor performances for protecting data in
the 2012 (In)Security Games.

There were many strong contenders, said Brian McGinley, IDentity
Theft 911's senior vice president of data risk management.

"Corporate America gave it a good effort, with a significant
number of
data breaches. Hackers and digital con men bent on stealing
consumers' personal information seemed to make gains this year,
too," McGinley said in a statement. "Nearly 400 breaches already
have been reported this year, with about 19 million customer
records affected, according to Privacy Rights Clearinghouse."

For at least two months earlier this year, and possibly for much
longer, hackers had access to Global Payments' end-user and
merchant databases. The company claims that 1.5 million accounts
were exposed, but third-party estimates have reached 7 million.

Even worse was the company's handling of the matter. Global
Payments admitted the breach only after independent security
blogger
Brian Krebs broke the news in late March.

The company then
gave contradictory information about the breach to investors
and media outlets, and failed to fully disclose exactly what had
happened and who was at risk. The result was that revelations
dribbled out for months, painting a
more serious picture each time.

Visa and MasterCard quickly dropped Global Payments as an
approved transaction processor, an accreditation which as of July
26 it was still trying to regain.

"This is another example of a payment-card processor [being]a
weak link in the chain of the payment industry," Goodman said.
"The system is only as strong as its weakest link.

"Part of the problem is that the card companies could also be
doing a better job to ensure these payment-processing companies
are doing what they need to do to secure that information —but
the card companies can't be there all the time."

Goodman said the payment-processing companies know they have
bulls-eyes on their backs, and it's really up to those companies
to secure the data.

Every data breach is bad, but LinkedIn made it worse by using a
weak, easily cracked
password-encryption process, by not having a full-time
security officer and by denying anything was wrong for nearly a
full business day, even as report after report regarding the
breach piled up online.

"The password dump, as it's called, was made freely available in
an online hacker forum, and it took third-party security wonks to
figure out it belonged to LinkedIn," McGinley said. "It's unclear
how much damage this information will cause users.

"But the breach warrants a silver medal because prevention was so
darn easy," McGinley added. "LinkedIn used a run-of-the-mill weak
encryption process and should have known better."

"It's not uncommon for large companies that suffer breaches to
not even really know that it's happened unless and until it's
pointed out by a third party," Goodman said. "But it's rather
embarrassing when that happens.

"When it's third-party security companies and white-hat hackers
who have to point out to you that there's a
data dump, it's shameful. It means that your security folks
are asleep at the wheel."

At LinkedIn, security may have been downplayed because of the
public nature of the company, Goodman said.

"Because it's about your public persona from a professional
standpoint, there's no benefit in locking yourself down," Goodman
said. "But that's part of the problem, because it's treated so
nonchalantly."

However, Zappos was prepared for such a possibility, and handled
the incident properly.

"[The company's] reaction gained favorable coverage in the
security press and probably mitigated some of the damage,"
McGinley said. "So what could have been a gold-medal performance
took only the bronze."

"If you look at the numbers, it was one of the largest exposures,
but if you look at the way the company dealt with it, they were
more open about it and they worked through the process. I think
that kind of saved them," Goodman said.

"But the problem is that Zappos is aspiring to be another Amazon
and that means they've got a lot of data and they have to
recognize that," he added. "And that means there needs to be an
investment into securing that data."